ezjscore call access
ezjscore call access
Thursday 14 June 2012 6:04:54 pm - 4 replies
Hello everybody.
I have a little question about ezjscore. If you check the site.ini of ezsjcore you can see that the anonymous user have access to call and hello views :
[RoleSettings] PolicyOmitList[]=ezjscore/hello PolicyOmitList[]=ezjscore/call
If a anonymous user enter the following url : http://my-domain.com/ezjscore/call/ezjscnode::subtree::5
He can list the user account. I can comment the PolicyOmitList but if I upgrade ezpublish the changes will be removed.
However If I create a new server functions the anonymous user can't access to it unless I configure the rights.
Is there a way to block the access of ezjscnode to the anonymous users ?
Thanks
Romain
Friday 15 June 2012 7:46:52 am
Hi Romain,
You can Reset The [RoleSettings] in the override/site.ini.append.php. But then you have to add all PolicyOmitList entries which are set in custom extension you need.
[RoleSettings] PolicyOmitList[] PolicyOmitList[]=user/login PolicyOmitList[]=user/logout PolicyOmitList[]=user/register PolicyOmitList[]=user/activate PolicyOmitList[]=user/success PolicyOmitList[]=user/forgotpassword PolicyOmitList[]=layout #PolicyOmitList[]=manual #PolicyOmitList[]=ezinfo/copyright #PolicyOmitList[]=ezinfo/about #PolicyOmitList[]=paypal/notify_url #PolicyOmitList[]=ezjscore/hello #PolicyOmitList[]=ezjscore/call
So you have under control what a anonymous user should be has access to by default.
For user who have access to ezjscore/call you have to create a policy in the ezbackend.
Hope this will help.
Cheers Felix
Modified on Friday 15 June 2012 7:48:33 am by Felix Woldt
Saturday 16 June 2012 11:01:20 am
I think this has also been fixed in recent security-related commits - now the ezjscnode::subtree call will check permissions of current user, much in the same way as node/view/full does
You must be logged in to post messages in this topic!